Equifax Data Breach - How Did It Happen?
Anyone has insider information into how hackers got access to user data? I understand not all info might be appropriate to share (ongoing investigation, vulnerability still exposed) but it will be good for customers to know if there was negligence from Equifax in their security standards. I mean they charge for identity theft protection FFS!
Most IT teams have mandatory security patches for everything as soon as they come up You have no idea. I LOL'ed. Stop thinking big tech companies. Most smaller non tech firms don't have a clue.
Agreed but... Equifax?
Same way they all happen.. corporate ignorance and no incentive to care about securing data. US needs equivalent of safe harbor laws like EU, but will never happen as long as Cheeto in Chief is in office. Although, Dems never prioritized this either.
I consult for a major bank and I can tell you at least with respect to financial institutions, there is a legal framework that forces banks to classify and secure PII and sensitive information. And I can tell you they are secured from design. It would be very hard to get to those data repositories from a client-facing server and even if you do, data is not plain text. Our own PC hard disks are encrypted even when by policy we cannot store any sensitive information. Perhaps these are legal requirements for financial institutions only. Perhaps lawmakers consider consumer, commercial, privacy and other laws are enough to keep companies in check. There's already a class action lawsuit against Equifax although a very weak one IMO, plus any other companies who use their services might raise to collect expenses they will incur to repair the damage on their side. I am very surprised by the silence around this issue: nothing else beyond how to know if you were impacted and what you can do to safeguard your identity by yourself. Based on the little that has been shared here it seems there was a lot of negligence from Equifax.
So... attorney general is launching an investigation into the hack, I hope it includes analyzing whether Equifax has some level of legal liability.
http://securityaffairs.co/wordpress/62934/hacking/equifax-hack-struts.html
Thank you! “In one case, an OGNL expression. In the other, a serialized object. The Equifax Struts application would receive this request, and get tricked into executing operating system commands. The attacker can use these to take over the entire box – do anything the application can do. So, they probably stole the database credentials out of the application, ran some queries, and then exfiltrated the data to some server they control on the internet.”
Best yet is bunch of fortune 500 use Struts as well as the IRS
Even with vulnerabilities in struts you *can* build secure services on struts with multi-layer security. You should always assume the front-end service has vulnerabilities.
If any of you are using Apache Http Server .. just be careful .. It is a server vulnerability that caused this
Would you say it is a vulnerability that could not have been resolved before the breach? Most IT teams have mandatory security patches for everything as soon as they come up for their production infrastructure.
It is an open source software issue which is yet to be resolved